SAS does not have Heartbleed vulnerabilities with our external Web sites.

SAS has no issues with the software shipped in SAS® 9.2 or SAS® 9.3 because these versions do not include OpenSSL 1.0.1 software.

SAS/SHARE® software and SAS/CONNECT® software encryption is not impacted by this issue.

The SOAP and HTTP procedures are not impacted by this issue.

SAS has determined that our SAS® 9.4 Web Server includes OpenSSL 1.0.1. A hot fix is available. All customers who have installed SAS 9.4 Web Server and configured it for the Secure Sockets Layer (SSL) are vulnerable. Refer to the SAS Note 52725 for more information and to download the hot fix.

SAS® DataFlux Secure does not deliver OpenSSL with the software. However, some customers may have implemented the Secure Socket Layer (SSL) to protect HTTP connections. If you are a DataFlux Secure customer, read SAS Note 52743 for more information.